|
|
|
Features
< Back
Sarbanes Oxley : Technology : Business Process Management
Maintaining Compliance
Section 404 is just the tip of the iceberg ? companies need to take an enterprise approach to ensure ongoing, long-term compliance
By
Robert Sepanloo
|
|
Robert Sepanloo
Sr. VP of Interstage
Fujitsu Software Corporation
|
The Sarbanes-Oxley Act of 2002 (SOX) has been called the most significant securities legislation since the establishment of the Securities and Exchange (SEC) commission over 70 years ago. It also rivals ? and may surpass ? Y2K as one of the largest ongoing IT projects. According to META Group, 90 percent of all public companies have active SOX projects.
SOX is exerting tremendous pressure on CFOs, who now have wide-ranging responsibilities and liabilities pegged to their lapels. In response, CFOs are cranking up resources and time dedicated to ensuring the accuracy of financial reporting. Companies are hiring compliance officers and establishing disclosure committees to execute on recommendations from internal auditors and consultants.
By and large, companies have focused on the near term deadline for compliance with Section 404, in which they must submit an annual assessment of the effectiveness of their internal control to the SEC. Most companies are on track for Section 404 compliance, and many got there by investing in proprietary documenting and reporting solutions from audit specialists.
Yet even with the aid of specialized SOX tools, documenting controls and procedures is challenging. Most companies rely on spreadsheet-based financial reporting that requires managing hundreds of files. This is a time intensive method that also invites errors when business processes inevitably change. Consolidating compliance efforts becomes even more complicated for companies with operations in multiple countries.
So for many companies, the time and effort they put into documenting Section 404 compliance will have to be repeated again next year, even with audit tools, because of the inability to rapidly retrieve the right information and a lack of automation to enforce their business processes. The experience will leave many executives with a feeling like they are in the movie ?Ground Hog Day,? in which they must repeat a laborious undertaking, year after year.
The Tip of the Iceberg
For those who thought SOX was limited to finance and accounting operations, Section 409 and its implications served as a wake-up call. Section 409 requires companies to disclose ?material changes? to their business within 48 hours. Section 409 is a massive challenge because it mandates that companies maintain ongoing, day-to-day compliance.
So just what constitutes a material change? The SEC?s definition of a material change is not limited to what one typically considers major business events, such as a merger or an acquisition or a company?s filing for bankruptcy. The implications are greater. For instance, if an oil transportation company were to have a major tanker spill, the company would have to ensure that information is rapidly communicated back to its offices so that an 8-K form can be filled out in time to report this material change to comply with the new guidelines.
Having the right communication procedures and associated workflow in place to alert the right officials of the need to collect, approve, and submit the 8-Ks and supporting documentation rapidly, then becomes extremely important.
Processes as disparate as those associated with employee benefits payment, environmental compliance and overseas operations are affected by SOX. With Section 302 requiring CFOs and CEOs to certify their financial filings, visibility into a company?s benefits-payment and other HR-related processes has become crucial. Non-compliance with local environmental, health and labor laws can result in a company being hit with huge fines. According to the new SOX Act guidelines, the financial ramifications of such an event might warrant another financial filing.
Interestingly, more companies are extending their compliance efforts to broader corporate governance initiatives. Multinational corporations come under additional scrutiny as their auditors seek to ensure that their overseas trade practices are all above board. With fines as high as 100 percent the value of the illegal transaction, financial officers require processes in places to track and alert them of suspicious business practices.
?Little Sarbanes-Oxley? legislation, state-based versions of the Act, are also anticipated, and are likely to create waves beyond the public-company realm, enforcing corporate governance and accountability in the private and non-profit sector as well.
The Good News
After scrambling to meet the Section 404 deadline, companies can now leverage their experience and investments to put processes in place for long-term compliance. That means taking a fundamental approach by selecting foundational software solutions that will address the mandate landscape both of today ? and tomorrow.
In particular, two areas of enterprise infrastructure software offer a framework for ongoing compliance: content integration and business process management (BPM). These are foundational technologies because they don?t require companies to ?rip and replace? their current infrastructure. They are standards-based solutions that increase the value of your IT investments synchronizing the flow of information and processes throughout the enterprise.
Content Integration
According to estimates, the average $1 billion company has almost 50 in-house financial applications including multiple enterprise resource planning (ERP) systems. Getting to these financial data stores rapidly can be a challenge, especially if these data stores are in far-flung locations.
The rapid reporting requirements of Section 409, in particular, call for a solution that helps companies get to the right information rapidly, irrespective of location. Content integration software enables a company to quickly access information in disparate systems by creating a virtual repository with links to related information silos. This approach foregoes the creation of a separate central data warehouse, an expensive and time intensive task that is best suited for historical data analysis.
Important data isn?t just in structured formats such as databases though. Most companies are drowning in unstructured data - e-mails, Word documents, and Excel files. The best content integration solutions enable access to unstructured data as well.
For example, a robust content integration solution can access a specific contract in Word format, linked with e-mails about that contract in Exchange Server, and sales forecasts or purchase orders for that product in Oracle SQL. That?s helpful for rapidly assessing impact on sales if, for instance, a major contract is terminated and the CFO needs to rapidly file an 8-K with the SEC.
Business Process Management
Once the relevant information is retrieved by a content integration solution, BPM ensures that information is delivered, according to the company?s specific processes, to the right person for review, action and then delivered to the next person in the chain of processes.
BPM offerings are a key component in the enterprise compliance architecture, helping companies automate, manage and formalize the review and sign-off of processes. BPM is effective for both quarterly and annual reports, and also for managing the flow of processes for Section 409 compliance, which requires rapid filing.
In their efforts to reach compliance with Section 404, most organizations have taken that first step by creating and documenting their process flows and controls. This exercise is useful when implementing BPM because those processes can then be modeled and tested using the software. This reinforces the legitimacy of an organization?s Section 404 efforts and, once these processes are verified, automation makes rapid filing achievable.
An invaluable feature of BPM solutions is the ability to monitor processes. E-mail alerts and notifications signal when processes stall or change. BPM provides a visual representation of where the process is at, so you can identify bottlenecks and take action to resolve situations.
Companies with overseas operations have to deal with the review of representation letters coming from their in-country managers and controllers at multiple reporting locations in different countries, come quarterly close. A good BPM solution can help with putting processes in place to help with the rapid upstream certification of all this data flowing in from the regions that can be tracked using compliance dashboards.
Going back to the example cited earlier, in the event of a major contract being terminated, which amounts to a change in financial status and might warrant a rapid filing, BPM can be used in conjunction with a content integration solution to alert the right people in the organization, route the contract-related information to them for review, and streamline the process of filing with the SEC in a timely manner.
In short, BPM enforces accountability and process visibility, which, in turn, leads to better corporate governance.
Building on a Foundation
With content integration and BPM as a foundation, two other groups of software technologies can play a useful role in an enterprise?s compliance architecture. The first are tools that help with reporting based on the XBRL format, a standard for financial reporting that has made significant strides recently. The U.K.?s Financial Services Authority (FSA) is making financial filings in XBRL format mandatory beginning 2005 and the SEC is currently evaluating accepting filings in this format beginning with the 2004 calendar year reporting season.
With dealing with large amounts of data comes the associated challenge of ensuring that data is accurate. Manual data entry is fraught with the potential for inconsistent and incorrectly formatted reports, which increases the risk of inaccurate financial filings. Automated XBRL reporting tools integrate with content integration and BPM to help companies rapidly turn around their financial filings via the web, comply with accelerated filing requirements and ensure the accuracy of those filings.
Another enabling technology for compliance is portal software and, like automated XBRL reporting, portals build on the foundation provided by content integration and BPM. Portals are customizable tools for collaboration that can serve compliance efforts both internally and externally.
For instance, portals can serve as collaborative workplaces for ?electronic audit committees? reviewing internal controls and processes before an executive can sign off on them. CFOs, compliance officers and others can use portals to access information and BPM alerts, customized to their specific role in the company.
Portals can also extend compliance efforts externally to shareholders. For instance, by providing their investors with access to near real-time disclosures of electronic filings via a portal, companies increase transparency, raise investor confidence and build shareholder value.
The Bottom-Line
Some companies are already knee-deep in sifting through their key business operations to identify and document their key business processes and related sub processes. What they are beginning to realize is that this provides them with a starting point for automating, tracking, and optimizing their business processes to ensure that they stay compliant. Reusable business processes, standardized across the organization makes for good business practice.
Most companies are going through the grind of documenting their internal controls and procedures to meet the approaching deadlines for complying with Section 404 of the Sarbanes Oxley Act. The message that comes back to me over and over again from these companies is that they don?t want to go through the exercise again. So why not leverage these efforts to achieve compliance in the long-term? Companies should examine their content retrieval and business process architecture and invest in technologies with a long-term view. Let?s face it: the mandate landscape will only get more crowded and complicated.
Unfortunately, there is no magic potion to alleviate a CFO?s compliance headaches. Although there is a silver lining ? SOX is providing them with the justification and financial wherewithal to do what they always wanted: improve business agility. With access to the most accurate and timely business information within a company, executives can better understand their real-time operational conditions. And by enforcing correct processes, the right executives can act on that information to make smarter business decisions.
|
|
|
|
